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Creating Queries 

Clicking on Search at the top of the screen will bring up a list of searches in the 
Navigation Menu: 



Home J* Users ft Workflow Celfiral Search 



suits 






Statistics * 



3 Si Search 

Classic 

S3 S Mull iSe arch 

[51 IP Addresses 
Mac Address 



, 13 Username 
0 S Classic A-M 

d ASF and WM V Metadata 
I- d Alert 
^BlackBerry 
h id CNE 
d Call Logs 
d Category DNI 
51 Cellular DNI 
Cisco Passwords 
Document Metadata 
Document Tagging 
Email Addresses 
Extracted Files 
Full Log DM I 
HTTP Actiyj 
IRC Cs ^Geolocati o n 
51 Logins and Passwords 
S3 S Classic N-Z 



Help 



Fields 



Advanced Features T 5 \ 



Search: Full Log 



Query 

Justif 

Additional Justif 
Miranda N 

Da 

Client IP (X-Fowarda 

Use 

Attribui 

IP Ac 
IP Af 



The Search screen has cascading menus of different Searches: Classic, Common, 
Dictionary Hits, File Transfer, Multisearch, Network Management, User Activity, VoIP, 
and Wireless. 



Classic Queries: 

Within the Classic Menu there are three folders: MultiSearch, Classic A-M, and Classic 
N-Z. 



Multisearch: 

Expand the Multisearch folder by clicking on the plus sign: 
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MayDiatDDn] Meiif 

0 Q Search 



£ 



N-avDSJ-ataon |gnn 

0 0) Search 



<4 



S-Q| Classic 



d Q Mart iSe arch 




|±J CHI MurtiSee 



r 





-1 IP Addresses 



d _l ctssskTE-M 
@ Cj Classic N-Z 



|3 Mac Address 




Multisearch IP Address: 

The Multisearch IP Address query allows you to search on an IP address into seven 
different searches. Think of it as a federated query using an IP address. The Mulfisearch 
IP Address query searches on: 

* User Activity 

* Phone Number Extractor 

* Email Addresses 

* Extracted Files 

* HTTP Activity 

* Full Log 

* Web Proxy 

Refer to some of the individual searches below for more information about specific 



Creating a MuitiSearch IP Address Query: 

When you have filled in your query name, justified it, entered an IP address, selected 
your search engines and sites the last thing is to submit the query. If you select "Merge 
Results", then all of your individual queries will be merged into one consolidated result. 

H Why would I want to merge my nesults? TJ 

If you wanted to see all of the activity together to get a "big picture’ look at the IP 
address, regardless of the activity or application that is on the IP. The New GUI's results 
screens allow you to filter your results easily which may make viewing your results more 
intuitive. See “Viewing Your Results” in this Guide. 

44 What would I want to NOT merge my results?*’ 

Viewing the results individually allows you to focus on a particular activity or result (e.g. 
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queries 



Documents or email addresses). 
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Multisearch MAC Address: 

The Multisearch MAC Address query is exactly the same as the IP address query 
except it only allows you to search on a MAC address. Follow the same instructions as 
the Multisearch IP Address query above but replace the IP address with your MAC 
address(es). 



Fields T Show Hidden Search Fields Clear Search Values Reload Last Search Values 



Multiple Search: Mac Address 



Query Name: 
Justification: 

Additional 

Justification: 

Miranda Number: 
Datetime: 




1 Day 


V 


Start: 


2009-01-22 


□ 




00:00 




Max Results for a 
Single DB: 



Search 

Forms 

Clear 



0 User Activity 
0 Phone Number Extractor 
0 Email Addresses 
0 Extracted Files 
0 HTTP Activity 
0 Full Log 
0 Web Proxy 



Multisearch MAC 
Address looks just 
like the Multisearch 
IP Address query 
except you must now 
search on a MAC 



Save in my Favorites 



No 






Load From my 
Favorites 
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Multi search Username: 

As you may have guessed, the Multisearch Username query is exactly the same as the 
IP Address Query and the MAC Address except it only allows you to search on a target's 
Username. Follow the same instructions as the MuMisearch IP Address query above but 
replace the IP address with your Username(s). 



Fislds t Sho'A Hidcten Searcn -islds Clear Sea-ch Values Reload Last Search VaUes 

Multiple Search: Username 



Query Name : 

Justification : 

Additional 

mqrifharinn: 




Mirarca Number: 




Mdf 1 RUbulLb fu' d 
Single DE: 



Type in the username and domain 
(without the symbol) 



Search 

Forms 

Clear 



0 User Activity 
FI Email Addresses 
0 T u 1 1 Log 

0 Logins and Passwords 



Save in my Favorites 

Loac From my 
FaynritRc; 



Ko 











M (jdcs-central.corp .nsa.ic.qov :q0) 



“What is a Username?^ 

A “Username” in XKEY SCORE queries is the portion before the symbol in an 
email address. 

For example: 

Abujihad@liQtmail.com : Username = abujihad 

Domain - yahoo.com 
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Classic Searches (A-Z) 

There are 32 different searches between the A-M and N~Z searches. This guide will cover 
some of the most common searches. You will notice that most of the fields of the 
searches are the same and each individual query will be unique because based on its 
query name. For example, the Extracted Elies search has fields that are only applicable 
to file attachments (e.g., file names, file extensions) and the Email Addresses query has 
fields for email addresses (e.g., username and domains). All of the Classic queries will 
have common fields like Ports, IP addresses, Countries, SIGADS, and CaseNotations that 
you can use to 



: idds T ^dv:m:cc Fo±lh ::5 - Sh:w Hdccn Scorch Reds C cdt Scorch VcIjcj Rdccd Los:gpcrch y du: 
fdflflrch: l rnRil Addressee 



Here are two Classic queries: 

Email Addresses and 
Phone Number Extractor. 



OuEry PJane: 
Ju still caz on: 

■Mlcitio-al Juatificai on: 
IVii anra Nunber: 



Dated no: 1 Mont- 



S:an: |2C0=-i2-2=i p| CO; co |£| stop: 2000- 



The fields between 
Datetime and the IP 
Addresses are the plug- 
ins unique to each query. 



Fnmil J = 

@ D l 1 1 1 a ir i ; 
tubjact: 



IP address: 
IP ALklrwit: 
Pn T: 
Ho-t: 

Cn . ntry ; 
Cn .ntr 1 /: 







Frorr ^ 






| Tl i v 








1 inn - v 






u 

1 - 





"it 'Jr t Advai:ed r«:jr:f ~ I idieri Cl^ii Ot-:rd"i 

Search: PNtjnu Wi irridur FmI ratlor 
VJei'v 

. jstificait ov 



The Email Address query is catered 
to querying on email addresses 

The Phone Number Query has 
phone number fields 



Addirirnal " i^rifir^r m: 
Mir jnl- j T-, jiiiLii.' ; 



" Mrrlh v 


StirT: 


2 CCC- 1 S- 2 - =■ 




A 

V 


Stri: 



r inn f-. imhn: 
Ni jmh ir Tv pi: 
nurTV .".rdi: 



Arm: | 



LP Arldrass: 
IP AJdi JL'L. ; 

■■ni-: 

Pi iril v; 



Frc-i V 



Tic "i V 



Fi 



_'c jnt : 



Td J 
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Email Addresses Query: 

One of the most common queries is (you guessed it) an Email Address Query searching 
for an email address. To create a query for a specific email address, you have to fill in the 
name of the query, justify it and set a date range then you simply fill in the email 
address(es) you want to search on and submit. 



That would look something like this... 

Fields t Advanced Features * Shew Hidder Search Fields Clear Search Values Relcad Last Search Values 



Search: Email Addresses 



Query Name: 
Justficatior: 



[abjjihad 



cttargei in n africa 



Additonal Justficatior: 
Miranda Number: 



DnlmtimF: 



1 Mnnth 


V 


St^rt: 


200B- 12-24 


m 




□0:OD 


A 



Email Usarname: 
@Dcmair: 



abjjihad 

yahoD.con 



NOTE: You DO NOT have to know an email address to use the Email Address Query. 
You can also search on an IP address*, domain name**, country, port, casenotation, 
protocol, SIGAD, MAC address, PID and more. If you search on something other-than an 
email address (e.g., an IP address), your results will be all of the email addresses seen on 
those IPs. 



* The IP musl be hosted OUTSIDE 5-eyes countries 

** The Domain MUST be foreign owned. Check WHOIS and NSLOOKUP for more info on your domain before-hand 
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Extracted Files Query: 

1 . To find a specific file (i.e.., if you already know the file name): For example, if you 
noticed a file name in your target's inbox and you never actually got the file attachment. 
This is VERY common for webmail collection because the attachment is often not put 
into PINWALE with the email. 

-ielcs t Ad vancac Features T 5’icw Hdden Search Fie ds Clear Search Values Reload Lest Search Values 

Sedrdi; ExLrdcLed Files 

Query Name: 

Justification: 

Additional Justification: 

Miranda Kumbar: 

Datetime : 

E^itractec Filename: 

Extension : 

File Type (MIME “ypeu; 

Is Obfuscated^yes/nDi : 

Obfuscated Peal File Extension: 



2. To search for all files or specific file types on a particular area or on a network . (E.g., 
IP address). This is a GREAT query if you have a foreign mail server and w^ant to see 
what files are collected on that IP address. 



Cusfo m 




Start: 


20119-01-24 □ 




00:00 


V 


Stop 





n u c eori n dairy £ 3 4 3. ft dl 





nthi Rsearnf 



Iranian l\u<e files 



Reid; t Advanced Feaiures * Hidden Search Reids Clea' Searcn Yak.es P.eloac _a;t :e=r:i Values 

Search! Extracted Files 

Query Name 
I ustiti cation 

Additional Justification 

M randa \umce- 
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Logins and Passwords 



1. If you already know the login and/or password. 

Fields T advance! Festcres T Sid 1 ^ Hidden 5e arcn Fields Clear Search VaLec F.eloac Lest Search y elues 



S«rirc:li: I mjiii* hiicJ PrihswnnK 



Qi .prv : 



LuyirisfuAyhaii P 



Justification : 
Additioncl Justification: 
Mi-anda P'.urrber: 



[Afgb an is tan netA'o ik mai c atve - pas sward 



If you know the logins or passwords, 
query on them as long as they are unique 
and will comply with USSID-18. 




2009-01-23 fT 





“Where would I find passwords to use in this query '? 11 

Passwords can be found in TUNINGFORK (e.g., FoggyBottom), passed in the content of 
emails or text messages, or from previous XKEYSCORE queries. 



2. Trying to discover logins and passwords on a network ? NOTE: Logins and 
passwords are valuable tools to enable Tailored Access Operations (TAO). 



“W T hat tools would I use to get the network information like a Mail Server, or Name 
Server?” 

NS Lookups tools on NSA net such as FGXTRA1L and Open Source tools such as 
robtex.com, centralops.net, and network-tools.com are a GREAT START. They provide 
you with IP addresses for domains. You can then query on the foreign -hosted IP 
addresses. 
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Fields r Ad v a IL 2 L Fadcres T 51 uw Hiddti i starcl FdJi CbcJ Seard i V^luei Reluad Lad 5«rd i Vdcei 

Search: I ogins anrl Passwords 

Query Name: 

Justfi cation: 

Additinnal li JstficRthn: 

Mi-anda Number: 



m 



Dateiime: 



1 Mcn:h 


V 


Start: 


2008-12-24 


□ 




OO:0C 


A 

V 


Stop: 


2009-01-23 


§ 




23:59 


A 

V 



I rginaf~irA : g-ianlF 

Afghanistan network mail server passwords 



Jeer Name: 
Password: 
Domain: 

IF Add-ess: 
TF Add-ess: 





1 




If you are trying to FIND logins and passwords 
and you know' the IP address for the network, 
then search on the IP! ! 

Your results will be.,,. LOGINS and 
PASSWORDS! 













Phone Number Extractor 

The Phone Number Extractor query looks through the content of an email for phone 
numbers. This is very similar to a PINWALE DoPhone query except the traffic that 
XKEYSCORE finds may be survey (i,e., unselected, non-tasked data) and might not be 
in PINWALE. XKEYSCORE may be your only hope at finding an email address for a 
target where you only have their phone number as lead information. 

1 . Already have a phone number ? If all you have to start with as lead information is 
a phone number, you may find it useful to query on that phone number and see if 
anyone sent an email with that number in the signature line. 



Fields t Advanced Features Y Show Hidden Search Fields Clear Search Values Reload Last Search Values 



Search: Phone Number Extractor 



Query Name: 
Justification: 

Additional Justification: 

Miranda Number: 

Datetime: 



Afghan 

Afghanistan phone number ct target 



■V' 



1 Month 


V 


Start: 


200S-12-24 


□ 




00:00 


a 

V 



Stop: 



Phone Number: 
Number Type: 
Country Code: 
Area: 

IP Address: 
IP Address: 





From v 







To 
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2. . Looking for any phone numbers on a network ? Quite often you know the mail 
server IP address and could use some telephone numbers to task? 

Felds » Advanced Features T Shew hidden Search Fields Clear Search Values Relo ad Last Sear:h Values 



Search: Phone Number Extractor 



:jjery Name: 


Afghan 


jjstif cation: 


Afghan isian phone num ter ct target 


AiJJiLiu'idl JjiLif udliuri: 


■v 


Miranda Number: 




uacetime: 


1 ivonih v b:arc: 2008-12-24 □ od:od stop: 2009-0 1-23 jjj 23:59 ~ m 



Phone Number: 



NumberType; 




C j u r i Lr y Cuiie: 




Area: 




TP Address: 


hi1h=r v] 


[P Address: 


— 0 
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3 . Looking for a phone number without the country code (non-normalized) ? It ' s 
possible a target will pass their phone number without the country code (e.g. a 
signature line with 'Tel: 5354658“). In that case, XKEYSCORE will not find the 
number with the country code so you must create a query that looks for fewer 
digits but still complies with USSID-18. This is not a 100% solution* but 
ANDing your query with a country or IP address would certainly be more 
compliant. See example below: 




innfi Nunrihpr: 
Number lyper 
Gauntry 1 Code: 
Area : 

IP Address: 
IP Address: 
Purl: 
Port: 





Counirv: 



Phone Number: 



Nunber Type: 
Country Code: 
Area: 



JP Address: 
IP Address 



Or 







From v 






> 

o 

1- 






Frurn ^ 






1 0 |V 






p< y ( v- 


E hher v 



Either 


V 




To 


V 



The number you enter here isn't 
normalized because you expect to see 
it in traffic without the country code. 
To make this USSID- 18 Compliant 
you must AND this with something 
like a country or IP address. 

This example shows traffic in/out of 

Pakistan 



This example shows traffic 
in/out of a particular 
network/IP Address 




*If you ask XKEYSCORE to give you all Pakistani traffic, it's doing an NKB lookup on till Pakistani 
registered IP addresses. Geolocation of IP addresses is not 100% accurate at this time. Unofficial estimates 
say asking for all of Country X's traffic will find between 50-60% of the actual traffic. (That’s more than 
0%, though, right?) 
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HTTP Parser 

The HTTP Parser query looks for web activity (remember, HTTP = web) on a particular 
link. This query is useful for several reasons. Firstly, if you know a particular website and 
want to see if a foreign target visits it (e.g. an extremist web forum URL, or 
maps.google.com). Secondly, this query enables you to query on a network IP(s), 
casenotation, or country and see what websites we don't know about (survey-type query). 

Here are two examples 

1 . If you know the particular website the target visits . For this example, I'm looking 
for everyone in Sweden that visits a particular extremist web forum. 



Search: HTTP Activity 



Query Name: 
Justification: 

Additional Justification: 

Miranda Number: 

Datetime: 



HTTP Type: 



HTTP in Sweden 



S we dish Extre m i st we b s ite vi s ito rs 



Scroll down to enter a country code (Sweden is sej 



1 Week 


V 


Start: 


2009-01-20 


m 




Of 





\ 


v 


Lrther 


y 














1 0 


V 



The website URL (aka “host) is 
entered in with a wildcard to 
account for “www" and “mail" 
other hosts. 

To comply with USSID-18 you 
must AND that with some 
other information like an IP or 
country 
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2. If you don't know the website but you know the network information (IP) . For 
this example, Fm querying on a network IP block to see all of the websites the 
target visits. 

Search: HTTP Activity 



Qua-v Name: vVcbUcc Iranian 



Ju stifi cation : vV'u b t i lea Fur r an i ai i Ur liver s i ly 

Additional Justification: 



Miranda l\L.mber: 



Cur iLeril SLup; 
: :~ntRrr intal: 
Rcfb-cr: 




X Fo "warcec For: 

To comply with USSID-1 8 you AND that with some other information like an IP or 




Port: 



To 



Results from an HTTP Parser query 

This shows what the results from a query look like for an HTTP Parser query: 




Example 1 above shows a person was visiting www.f-gaming.com/s/stat.php 
Host - f-gaming.com 
URL Path - /s/stat/php 
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Document Metadata 

Document Metadata query allows you to search on document authors, organization, 
encryption*, and many other things about a document. This is extremely helpful if you 
have found a file attachment from a target (e.g. Brick- and- m or t ar targets, person, or 
Organization) and you want to see all of the other files they have sent. With the 
Document Metadata query you don't have to know' the email address of the person 
sending the document, you just have to know' the document's properties. 

*Most Microsoft Office allows uses to encrypt files by clicking Tools -> Options -> Security and password 
protecting the files. The Document Metadata query looks for that type of encryption. It doesn’t look for 
PGP or other 3 ]il party encryption. 

“How do I find a documents properties?” 

The easiest way to see tills is to open a MS Office document and click on File -> 

Properties. To find the document properties for a file you target sent, the easiest way is to 
view the file in Agility and click on Properties. 



Finding your targets file properties 

If you can view' the target's document in Agility, click on the Properties tab to show the 
target's Organization and/or Author. If the fields are unique or random enough you can 
query on the term itself. If the Organization or Author aren't enough to comply with 
USSID-18, then you must AND that query with supporting information (IP or Country). 
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Displaying MS Word document in Agility: 



>4 

fe 



Agl llty - MeloFKm^ P reurl-xtlon Serve rCLient 

Ar^llh, 1 Wl.'Wi-r Ha-.n rwl hr t i|r raQT H 0 PD ?imiins 15 J’WiR/iFL' I I d4JL>Tnnrii 



mm 



= r T1 H-:-i 

in ) U"' 1 | !>' 11 ! L' 1,1 | □ ■ | Q, I i ■ | : l i I | 



I UP 1 5LLftC I //UU'UH I ■'/Hlftlj I1 - -1L-L/I Ji A/NUI U^n.'/lIlEy] 11! J 






J^L 



in t i 


Fi in 






Fm:i ; i 


FL-, :K' tv=' l 






'.n UdLUJ ur.l : Jj t-N 


.V ’L 'i 'j 1 _■ VLCLj/JAJLAriri. LTLJL _ 


1J teJl.-CYi 




9<\ ^rr.^r n-. : F- n rN r.trtrr rr Tr.-rpl i.'iVt: 
LH VAUJ " V.J U -T,l 



? hrvl.'TYi 

1 ti^.LN 



9 <\ =j:r m t-tf?^ ru I r.r- vi Tji J-C 



'.'1 Is'lLMJ ■ - -T,l t-M-rv t. 



.TFFT (Tr^fn-i-lrt-lriiv 



■l'.u ■’fpk-’inr.' - :-.-.:' (■ tj-s 



FT firr^rrlk'i-.'-^T-Y; 
lCj tl|.tL»l|LI Vr,JV tfti 




1— 1 

Dk:E, :■ H q -i =J I g?y; | ■= -- — F' k ■: • j d =-rC 


| Pi op cities’ 


CZZ' T’-i:’ 


C:4:.:::d[i.:.: 




1 \ 



389 8 application/oct et-strear ba 



452 a p p li c at ion/m s wor d 



Category 
C ompany 
H id de nSI id eCou nt 
LineCount 
LinhaUpTaData 
Manager 
Mkl Clip Count 
N oteC aunt 
ParegrapliCDurt 
PrEsentetianTarget 
SceleCrap 
SlideC'ciint 



C ftTHfliS fits 




DateCreated 


Cvl 2-'200:E. 3:13:00 £>1 






t\ eywvrds 





Autfior - 
Last Autlior - 




LastAuthor 

‘LaSPnlTIM- 



irtTuTM 



To create a query in XKEYSCORE from this information: 

Search: Document Metadata 



Query ^omc: 
J lie t ifl c a ti o n : 

Adcitional Justification; 

Miranda Number: 

DdLeLime; 



foriegndocuments 



Swedish CTTprgat 



1 Week 


V 


SLarL; 


2009-01-20 


□ 




00 oc 


A 

V 


SLuj; 



Document T ype 
F-mrypf nd? 
Corrupted? 
Filename 
Extension 
"Sjbject" 



*Creation Time* 
*l_ost Modified Time* 
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View of document properties of PDFs in Agility: 






MfliaFranw PfKantatwn Sarver □writ 



Agility Viewer - NewIJiieryJIOT 101912 1 728 jgo 



FIs Ed: Tick heb 
|T!l [ 4aJ I V.eh ] \_~l £ 1 ||| j 0 ttw gr?| 



Ee 



c: Fv ':r- 




TOP 5BCREr/.'tnn]M-BQ FlA UT IM/ / "i 0 F G Ft h ? 20291 l£.:i 



Jjj. 









I 




1QT G3Q 923:21 : 'f/ rapcrti UN vgaj rnsli rrm-j te end dan 



1 or ' QX 052:0 At krptiEnci .ifeli =r 1 1 



appliraltcr.faF 




Diid^crijnal F si'.' Shi F heads 



Lurtru 



TicIei 



slesiEcCs; Seaci<*c jicicnsy K.-jd _ 
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To create a query in XKEYSCORE using this information: 

Search: Document Metadata 

Query Name: 

Justification: 

Additional Justification: 

Miranda Mumhar: 



furieymJuuurrienly 



Swedish CT Target 




Stop: 



2JC9-01-27 



Fi eriarrie: 
Extension: 
*5Lbj=:ct*: 
^Creation Tm?*: 
* aqf Mndifiari T mn*: 
*Un que m* rfniit^ti 



Autlior - 
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Creating a Work Flow 

Workflows are periodic queries you can set up that run at specified times. They are great 
for sustained targets because they query the database for you (e.g. every night) and you 
can easily view the recently collected traffic without having to create a new' query each 
day. They are also very helpful if you are performing target discovery on a network and 
haven't seen much traffic yet on a selector. A workflow for an email address can bridge 
the gap between when you discover the selector (and you task it to UTT/Cadence) and 
when it actually makes it to the appropriate dictionaries). 

It's important to understand that a normal (ad hoc) query is submitted w'hen you hit 
Submit. Workflows, on the other hand, are created then submitted to the XKEYSCORE 
team for review'. The XKEYSCORE team does not review it for USSID-I8 compliance 
(that's up to you); they only review' it to ensure your query w'on't strain the system with 
too complex a query. 

The first step in creating a Workflow is click on Workflow Central: 



Then click on Request on the left to start the Workflow' Request Wizard, and then click 
Next. 
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XKEYSCORE 



&■&! Results 



Clear Selection 
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Next, select the search type you want to create from the pull-down menu. For this, Fm 
selecting an Extracted Flies query. These queries are essentially the Classic A-M and N- 
Z queries you have seen in the Classic Search screens. The only difference is an 
Extracted Files workflow will start looking for extracted files in the future and an ad hoc 
Extracted Files query will search in past/previous collection. 



v;c: j Li:fj3f'i LEJtural Raciest wizard 



Please select a SeaFcEii Type. 



Alert A 

AS= [D Data 

ElaiLBerry 

Cal Logs 

Category (DWI) 

CFI I LJI AR nsji 
Ciscc Passwords 
CNE 

uo:unrent Metadata 
Enral Addrasses 
Extracted z ilas 
Ful Log 
Wireshark 
HTTP Activity 

IRC Cone Qoolocoton v 
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Next, fill in the name of your query (“AfghanFiles”), the auditor-compliant justification, 
and how often you want the query to run. I recommend offsetting the time from the 
default of midnight (2400) by a few' hours (before of after). For this, Fm selecting 0400. 
Then hit NEXT. 




In the Acid Search Fields window, you will select the search criteria that you want to 
search on. In this example, Fm looking for specific file attachment (DOC or PDF or XLS 
or PPT) on a specific Afghanistan IP address. 

You must hit the green symbol to enter the search criteria. 
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Click Next 



Single Field Search only searches in one field (e.g. File Extensions) 

Multiple Field Search allows you to search on several fields (e.g. ? To IP AND From ip) 



Add Search Fields 



Search Field 
Extension 

From IP Address OR To IP Address 
File Last Modified 



F romJP Address 
To if Address 



From Port 




To Port 



Single Field bearch 



SeaiaHl Maine Help 




Multiple Field Search 



Next, you will select the sites where you want your query to run. Scroll down in this 
window to use the convenient “Select All” or “Uncheck All” buttons. 

NOTE: If your selector is NQFORN ? you must DESELECT sites that are 2 nd /3 rd 
party. 
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Follow-on Actions tell XKEYSCORE to do things after it runs your query. For example, 
it can email you with the results, or it can send them to Agility, or any combination of the 
two. For this example, I want XKEYSCORE to email me telling me I have results and I 
want it to download my results to Agility. Make sure you select Send to Agility if you 
want the same. 




Click the Green Add symbol, and then click next when finished. 

On the next screen, enter any comments you wish (optional) and click Next 
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Lastly, click SUBMIT. Your query isn't active yet. The XKEYSCORE team will review 
it and you will have to check back later and turn the query ON or OFF as you wish. 



Mavsqaticiji Menu ■« 

J^jWorkf ow Central 
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My Workflows 




hfelp Action; ▼ 




Cue ■ Type 


Queiy Name 


Lasl Mod tied 


Gtete j. Act one 



e 

i± 

E 

!± 

E 

15 

E 

: iE 

i+ 

E 



F-il - pji it luriiLtii 



HiRNAh-DEZICN 



21:03-01-1:3 u 1 0.kiO 



f:ih:ine_‘iijmt:or 


lsfas_ph:nss 


2C09 01 19 21: '-7: '10 


cn i>:k;0 


I 


prone mm 


swedlsrp-lores Cruz 


20D3-i:il -13 2 l:^7:d0 


oi t'xks'j 


f ^ 


phonc_iumbcr 


F r _fvF A _D ce _2 0 1 3 


'2000-01 -1 0*21:^721 


off. 




phone_iumf:er 


iraqi_Neia2UU« jbibcot 2LU9-U1 -1 y 21 : 




m 


phonc_iumbcr 


Muiinctrhonco 


2000-01 -1 9 21: *7: 21 


off 






pakistf=nlF_4RI 


2019-111-19 ->1- -7v1 


nff-jg 




liittp jea ear 


'/'-■eij-o L.ir 2 0 
_ 


2 003 -01 -1 3 21: -7: 21 






hHpjra-spr 


wf=h_f in jti? 


9019-111-19 91i721 


HI | 




tiLlp_f.aiei 


ht ■ TV ■■■ 1 — P*i 

jrui i3 


20219-0 1-1 3 21.-7.21 


mm 




phone lumber 


z to.opglm'mIerclea 2009-01 1 1 21 j M 21 


off 





:^idsr 

iQjzisr 



LJ 1 



ft 



m 



WL 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108 



23 




TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//203 20108 



Searching - Tips and Tricks 

The Official XKEYSCORE Frequently Asked Questions page is located here: 
http://xkeyscore.rl .r.nsa/redmine/wiki/xkeyscore/FAO . Here are some other tips/tricks 
that may be useful 

1, Underscores in usernames : 

If your selector has an underscore in it, you must precede the underscore with a backslash. For 
example: abu jihad would become searched as abuV_ jihad. If you leave the underscore in the 
query without the backslash, you are wildearding a single character (see below). 

To search on: abu_jihad@hotmail.com: 

Bad query: Abu_Jihad 
Good query: Abu\_jihad 

If you search on t 'abu_jihad” (without the backslash), you could bring back ^abuljihad”, 
"abuTjihad”, “abuSjihad”, “abu-jihad”, etc... because you are wildearding that character and 
therefore you would be pulling on an entirely different selector. 

2, To search on a range of IF addresses : 

IP Address Range: 

202.82.86.224 - 202.82.86.244 

Becomes this XKEYSCORE Query (entered in the IP Address as To, From, or Either): 
regex: 202\.82\.86\.22 [4-9] OR regex : 20 2\. 82V 86V 2 3 [0-9] OR regex: 20 2V82V86\-24[0A] 

3, Boolean Search Descriptions (Wildcards, ANDs, ORs, etc): 



OPERATOR 


DESCRIPTION 


USAGE 


I 


Not Equal Comparison 


beginning of Word (i.e. !joe and Isam) 


or 


Logical OR (Search for multiple 
values) 


between w ; ords (i.e. osama or laden) 


and 


Logical AND (Search for 
combination value matches) 


between words (ie. *osama* and *laden*) takes 
precedence over ORs 


* 


Multiple Character Wildcard 


anywhere in word (i.e. *osam*bin*laden) 


— 


Single Character Wildcard 


anywhere in word (i.e. sam bin laden) 


> 


Greater Than Comparison 


beginning of word (i.e. >00080 and <001 1 1) 


< 


Less Than Comparison 


beginning of word (i.e. >00080) 


regex: 


REGEX Expression 


(i.e. to retrieve only numbers: regex: [0-9]*) 
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Which Query is best for me? 

Quite often the most difficult part of using XKEYSCORE is deciding which query to use 
at w'hich time. Here’s a rough guide to help you decide. 



Do you have an IP Address and want to learn more about that network 



Which XKEYSCORE Query is Best for Me? 



'■ 

I have...... 

\ r 


W> 


an 


{ \ 

tP Address 







for n 



6 a 

Mail/Web Serv=r 

[e.g. (Ton □ NS iookud) 

\ / 



and need 



Which email a Heiresses 
sre seen on the nc:wor<? 



i 

y^u’EI use 



The EMAIL ADDRESS Query 
and search on the IF 




Which websites people 
on thp n phnrfc v isit 

(e.g. Goocle Ca-th, v-cb Forums) 
_> 



yxi II use 



/ \ 

th.e HTT? ACTIVITY query 
and pull on the IP 
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Do you have an Email Address or Foreign Domain 
And want to learn more about it? 



Which XKEY5CORE Query is Best for Me? 



J 



a/ani 

Email Address or 
Domain (foreign) 

v j 



.and need to know 




you'll use* 



The EMAIL ADDRESS query 
and search on the email tin username) 
and domain (In domain) 
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Do you have a phone number for your target and want to learn their 

email address? 



Which XKEYSCORE Query is Best for Me? 

V, J 



r 




s 




I have. 









J 



a/an= 



f 


■s 


A Ph*he Number 




j 


and neec 


to know 



] 



The target's email address 



then use 




The PHiGNE NUMBER EXTRACTOR query 
and' search on the PHONE NUMBER(S). 



V s 
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